<!DOCTYPE html>



  


<html class="theme-next pisces use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.8.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">



  
  
    
    
  <script src="/lib/pace/pace.min.js?v=1.0.2"></script>
  <link href="/lib/pace/pace-theme-minimal.min.css?v=1.0.2" rel="stylesheet">







<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">



  <meta name="google-site-verification" content="SOqsL8PexCDMo8ubmGTRngo5fAy0r6255DCMfRC5Bzg">














  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">




  
  
  
  

  
    
    
  

  

  

  

  

  
    
    
    <link href="//fonts.googleapis.com/css?family=Lato:300,300italic,400,400italic,700,700italic&subset=latin,latin-ext" rel="stylesheet" type="text/css">
  






<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.2" rel="stylesheet" type="text/css">


  <meta name="keywords" content="运维,">








  <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico?v=5.1.2">






<meta name="description" content="最近遇到一个比较搞的问题，有关 linux 下的文件权限。因为发现解决问题之后的答案是我们很多工作多年的攻城狮以前都没有重视过的，所以特别写下来，帮助加深记忆。 【背景】同事学习 lnmp，搭好 CentOS 6.5 的环境之后，新建了一个用户组 test，在该组别下新建了一个用户 test，然后准备用这个用户模拟 nginx 和 php-fpm 进程的启动用户，跟着手册上做实践。 【关键信息】">
<meta name="keywords" content="运维">
<meta property="og:type" content="article">
<meta property="og:title" content="再学习 Linux 下的文件权限">
<meta property="og:url" content="http://i.am.simonkuang.com/post/sticky-bit-of-files-under-linux/index.html">
<meta property="og:site_name" content="旷{&lt;i&gt;氏&lt;&#x2F;i&gt; }淇元">
<meta property="og:description" content="最近遇到一个比较搞的问题，有关 linux 下的文件权限。因为发现解决问题之后的答案是我们很多工作多年的攻城狮以前都没有重视过的，所以特别写下来，帮助加深记忆。 【背景】同事学习 lnmp，搭好 CentOS 6.5 的环境之后，新建了一个用户组 test，在该组别下新建了一个用户 test，然后准备用这个用户模拟 nginx 和 php-fpm 进程的启动用户，跟着手册上做实践。 【关键信息】">
<meta property="og:locale" content="zh-Hans">
<meta property="og:updated_time" content="2018-10-09T12:37:20.135Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="再学习 Linux 下的文件权限">
<meta name="twitter:description" content="最近遇到一个比较搞的问题，有关 linux 下的文件权限。因为发现解决问题之后的答案是我们很多工作多年的攻城狮以前都没有重视过的，所以特别写下来，帮助加深记忆。 【背景】同事学习 lnmp，搭好 CentOS 6.5 的环境之后，新建了一个用户组 test，在该组别下新建了一个用户 test，然后准备用这个用户模拟 nginx 和 php-fpm 进程的启动用户，跟着手册上做实践。 【关键信息】">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Pisces',
    version: '5.1.2',
    sidebar: {"position":"right","display":"post","offset":12,"offset_float":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: true,
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="http://i.am.simonkuang.com/post/sticky-bit-of-files-under-linux/">





  <title>再学习 Linux 下的文件权限 | 旷{<i>氏</i> }淇元</title>
  




<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
            (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
          m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
  ga('create', 'UA-45245769-1', 'auto');
  ga('send', 'pageview');
</script>





</head>

<body itemscope="" itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-right page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope="" itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">旷{<i>氏</i> }淇元</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle"></p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            关于
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            归档
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope="" itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://i.am.simonkuang.com/post/sticky-bit-of-files-under-linux/">

    <span hidden itemprop="author" itemscope="" itemtype="http://schema.org/Person">
      <meta itemprop="name" content="Simon Kuang">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="http://upload.jianshu.io/users/upload_avatars/69775/1a6d1438fd5d.jpg?imageMogr/thumbnail/90x90/quality/100">
    </span>

    <span hidden itemprop="publisher" itemscope="" itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="旷{<i>氏</i> }淇元">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">再学习 Linux 下的文件权限</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2015-10-22T10:37:23+08:00">
                2015-10-22
              </time>
            

            

            
          </span>

          

          
            
              <span class="post-comments-count">
                <span class="post-meta-divider">|</span>
                <span class="post-meta-item-icon">
                  <i class="fa fa-comment-o"></i>
                </span>
                <a href="/post/sticky-bit-of-files-under-linux/#comments" itemprop="discussionUrl">
                  <span class="post-comments-count disqus-comment-count" data-disqus-identifier="post/sticky-bit-of-files-under-linux/" itemprop="commentCount"></span>
                </a>
              </span>
            
          

          
          

          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/KaTeX/0.5.1/katex.min.css"><p>最近遇到一个比较搞的问题，有关 linux 下的文件权限。因为发现解决问题之后的答案是我们很多工作多年的攻城狮以前都没有重视过的，所以特别写下来，帮助加深记忆。</p>
<h3><span id="背景">【背景】</span></h3><p>同事学习 <code>lnmp</code>，搭好 <code>CentOS</code> 6.5 的环境之后，新建了一个用户组 <code>test</code>，在该组别下新建了一个用户 <code>test</code>，然后准备用这个用户模拟 <code>nginx</code> 和 <code>php-fpm</code> 进程的启动用户，跟着手册上做实践。</p>
<h3><span id="关键信息">【关键信息】</span></h3><ul>
<li>用户：<code>test:test</code></li>
<li>目录：<code>/www/test</code></li>
<li>目录权限：<code>drwxrwxrwx.  2 root  root      40 Oct 21 16:43 test</code></li>
<li>文件：<code>/www/test/index.html</code></li>
<li>文件权限：<code>-rw-r--r--. 1 root root   0 Oct 22 10:04 index.html</code></li>
</ul>
<h3><span id="现象">【现象】</span></h3><ol>
<li>先用 <code>root</code> 的身份 <code>touch</code> 了一个空文件 <code>index.html</code>；</li>
<li><code>su test</code>，然后以 <code>test</code> 用户的身份去删除这个空文件；</li>
<li>WTF！！！ 竟然删除文件成功了？？？！！！</li>
</ol>
<p><strong>普通用户删除了 <code>root</code> 用户的文件</strong>，我保证，刚看到这个现象的时候，我内心绝对是崩溃的。</p>
<h3><span id="解决的途径">【解决的途径】</span></h3><p>首先，检查了 <code>test</code> 用户的用户组，确认的确是 <code>test</code> 组。</p>
<p>其次，检查文件和目录的权限，除了 <code>test</code> 目录没有按照惯例，被设置成 <code>0777</code> 之外，没有什么特别的。不可能一个 <code>0777</code> 还能捣蛋吧？！</p>
<p>再次，<code>visudo</code> 命令检查有没有给 <code>test</code> 做高规格的授权。结论是：否。默认配置，没有可疑的配置。</p>
<p>接下来检查 <code>rm</code> 命令有没有被动过手脚。考虑到这是一台从 min 发行版正常安装起来的<strong>测试机</strong>，到这里我觉得已经有点儿过了。不过没关系，面对系统『问题』，谨慎一些总是好的。</p>
<p>之后又检查了 <code>uid</code> 和 <code>gid</code>，确保 <code>test:test</code> 没有占用一些有特殊作用的保留 id。</p>
<p>最后，还找不到问题，已经过去了半个多小时。猛然想起什么，试了一下除开 <code>test</code> 的其它用户，发现都能重现这个问题。至此发现问题的源头不在 <code>test</code> 这个用户身上。</p>
<h3><span id="答案">【答案】</span></h3><p>发现源头不在 <code>test</code> 用户身上之后，就走上了正路。如果不是用户或者用户组本身拥有超级权限，那么多半的多半，是权限本身的设计问题。</p>
<p>按经验，对客观存在的东西，<strong>不是 bug，就是一个 feature</strong>。</p>
<p>于是开始<a href="http://www.itechzero.com/google-mirror-sites-collect.html" target="_blank" rel="noopener">谷歌</a> Linux 文件权限相关的手册，终于终于找到了<a href="http://vbird.dic.ksu.edu.tw/linux_basic/0210filepermission.php" target="_blank" rel="noopener">鸟哥 Linux 私房菜——第六章、Linux 的文件权限及目录配置</a>（很奇怪，鸟哥的文档以简体形式放在宝岛学校的官网上），以及 <a href="https://en.wikipedia.org/wiki/Sticky_bit" target="_blank" rel="noopener">Sticky bit</a> 的维基页。算是为这件事情做了一个注解。</p>
<p>鸟哥说：</p>
<blockquote>
<ul>
<li>权限对目录的重要性<ul>
<li>r (read contents in directory)：<br>……</li>
<li>w (modify contents of directory)：<br> 这个可写入的权限对目录来说，是很了不起的！ 因为他表示你具有异动该目录结构列表的权限，也就是底下这些权限：<ul>
<li>建立新的文件与目录；</li>
<li>删除已经存在的文件与目录(不论该文件的权限为何！)</li>
<li>将已存在的文件或目录进行更名；</li>
<li>搬移该目录内的文件、目录位置。<br>总之，目录的w权限就与该目录底下的文件名异动有关就对了啦！</li>
</ul>
</li>
<li>x (access directory)：<br>……</li>
</ul>
</li>
</ul>
</blockquote>
<p>维基说：</p>
<blockquote>
<p>…<br>When a directory’s sticky bit is set, the filesystem treats the files in such directories in a special way so only the file’s owner, the directory’s owner, or root can rename or delete the file. Without the sticky bit set, any user with write and execute permissions for the directory can rename or delete contained files, regardless of the file’s owner.</p>
</blockquote>
<h3><span id="解决办法">【解决办法】</span></h3><ol>
<li>一定不要给多余的权限。这件事要养成习惯！任何可能接触到系统的人都要培养出来。</li>
<li>对于共用目录，一定要对这个目录激活 <code>sticky bit</code>。比如 <code>/tmp</code> 目录就默认激活了 <code>sticky bit</code> 的，这样大家共用这个目录也不会混乱。</li>
<li><code>sticky bit</code> 的限制不能继承，也就是说只对激活了 <code>sticky bit</code> 的当前目录有用。</li>
</ol>

      
    </div>
    
    
    

    

    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/运维/" rel="tag"># 运维</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/post/angular-js-docs-for-the-users-in-the-wall/" rel="prev" title="angularjs 的设计文档及部分官方资料">
                angularjs 的设计文档及部分官方资料 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          
  <div class="comments" id="comments">
    
      <div id="disqus_thread">
        <noscript>
          Please enable JavaScript to view the
          <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a>
        </noscript>
      </div>
    
  </div>


        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope="" itemtype="http://schema.org/Person">
          <img class="site-author-image" itemprop="image" src="http://upload.jianshu.io/users/upload_avatars/69775/1a6d1438fd5d.jpg?imageMogr/thumbnail/90x90/quality/100" alt="Simon Kuang">
          <p class="site-author-name" itemprop="name">Simon Kuang</p>
           
              <p class="site-description motion-element" itemprop="description"></p>
          
        </div>
        <nav class="site-state motion-element">

          
            <div class="site-state-item site-state-posts">
            
              <a href="/archives/">
            
                <span class="site-state-item-count">42</span>
                <span class="site-state-item-name">日志</span>
              </a>
            </div>
          

          

          
            
            
            <div class="site-state-item site-state-tags">
              <a href="/tags/index.html">
                <span class="site-state-item-count">16</span>
                <span class="site-state-item-name">标签</span>
              </a>
            </div>
          

        </nav>

        

        <div class="links-of-author motion-element">
          
            
              <span class="links-of-author-item">
                <a href="https://github.com/simonkuang || github" target="_blank" title="GitHub">
                  
                    <i class="fa fa-fw fa-github"></i>
                  
                    
                      GitHub
                    
                </a>
              </span>
            
          
        </div>

        
        

        
        
          <div class="links-of-blogroll motion-element links-of-blogroll-inline">
            <div class="links-of-blogroll-title">
              <i class="fa  fa-fw fa-globe"></i>
              友情链
            </div>
            <ul class="links-of-blogroll-list">
              
                <li class="links-of-blogroll-item">
                  <a href="http://www.laruence.com/" title="Laruence" target="_blank">Laruence</a>
                </li>
              
                <li class="links-of-blogroll-item">
                  <a href="http://openresty.org/download/agentzh-nginx-tutorials-zhcn.html" title="agentzh的Nginx教程" target="_blank">agentzh的Nginx教程</a>
                </li>
              
                <li class="links-of-blogroll-item">
                  <a href="http://danielkummer.github.io/git-flow-cheatsheet/index.zh_CN.html" title="gitflow-cheatsheet" target="_blank">gitflow-cheatsheet</a>
                </li>
              
                <li class="links-of-blogroll-item">
                  <a href="http://my.oschina.net/yilian/blog/664632" title="TensorFlow入门教程" target="_blank">TensorFlow入门教程</a>
                </li>
              
            </ul>
          </div>
        

        


      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-3"><a class="nav-link" href="#undefined"><span class="nav-number">1.</span> <span class="nav-text">【背景】</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#undefined"><span class="nav-number">2.</span> <span class="nav-text">【关键信息】</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#undefined"><span class="nav-number">3.</span> <span class="nav-text">【现象】</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#undefined"><span class="nav-number">4.</span> <span class="nav-text">【解决的途径】</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#undefined"><span class="nav-number">5.</span> <span class="nav-text">【答案】</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#undefined"><span class="nav-number">6.</span> <span class="nav-text">【解决办法】</span></a></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">
  
  &copy;  2005 &mdash; 
  <span itemprop="copyrightYear">2019</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Simon Kuang</span>

  
</div>


<script src="https://unpkg.com/mermaid@8.0.0/dist/mermaid.min.js"></script>
<script>
  if (window.mermaid) {
    mermaid.initialize({"startOnload":true});
  }
</script>



  <div class="powered-by">由 <a class="theme-link" href="https://hexo.io">Hexo</a> 强力驱动</div>

  <span class="post-meta-divider">|</span>

  <div class="theme-info">主题 &mdash; <a class="theme-link" href="https://github.com/iissnan/hexo-theme-next">NexT.Pisces</a> v5.1.2</div>


        




  <script type="text/javascript">
    (function() {
      var hm = document.createElement("script");
      hm.src = "//tajs.qq.com/stats?sId=56218002";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>




        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  












  
  <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>

  
  <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>

  
  <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>

  
  <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>

  
  <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>

  
  <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.2"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.2"></script>



  
  


  <script type="text/javascript" src="/js/src/affix.js?v=5.1.2"></script>

  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.2"></script>



  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.2"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.2"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.2"></script>



  


  

    
      <script id="dsq-count-scr" src="https://kuangqiyuan.disqus.com/count.js" async></script>
    

    
      <script type="text/javascript">
        var disqus_config = function () {
          this.page.url = 'http://i.am.simonkuang.com/post/sticky-bit-of-files-under-linux/';
          this.page.identifier = 'post/sticky-bit-of-files-under-linux/';
          this.page.title = '再学习 Linux 下的文件权限';
        };
        var d = document, s = d.createElement('script');
        s.src = 'https://kuangqiyuan.disqus.com/embed.js';
        s.setAttribute('data-timestamp', '' + +new Date());
        (d.head || d.body).appendChild(s);
      </script>
    

  




	





  












  





  

  

  

  

  

  

</body>
</html>
